====== Система Kubernetes ====== * [[https://kubernetes.io/ru/docs/home/|Документация по Kubernetes (на русском)]] * [[https://youtu.be/sLQefhPfwWE|youtube Введение в Kubernetes на примере Minikube]] * [[https://www.youtube.com/playlist?list=PLg5SS_4L6LYvN1RqaVesof8KAf-02fJSi|youtube Kubernetes на Русском Языке 12 видео]] * [[https://habr.com/ru/company/domclick/blog/577964/|Ультимативный гайд по созданию CI/CD в GitLab с автодеплоем в Kubernetes на голом железе всего за 514$ в год ( ͡° ͜ʖ ͡°)]] * [[https://habr.com/ru/company/flant/blog/513908/|Полноценный Kubernetes с нуля на Raspberry Pi]] * [[https://habr.com/ru/companies/domclick/articles/566224/|Различия между Docker, containerd, CRI-O и runc]] * [[https://habr.com/ru/company/vk/blog/542730/|11 факапов PRO-уровня при внедрении Kubernetes и как их избежать]] * [[https://github.com/dgkanatsios/CKAD-exercises|A set of exercises that helped me prepare for the Certified Kubernetes Application Developer exam]] * [[https://www.youtube.com/watch?v=XZQ7-7vej6w|Наш опыт с Kubernetes в небольших проектах / Дмитрий Столяров (Флант)]] * [[https://habr.com/ru/companies/aenix/articles/541118/|Ломаем и чиним Kubernetes]] ===== Инструмент командной строки kubectl ===== * [[https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands]] ==== Установка ==== === Linux === # curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl # chmod +x kubectl # mv kubectl /usr/local/bin/ === Windows === * [[https://kubernetes.io/docs/tasks/tools/install-kubectl-windows/|Install and Set Up kubectl on Windows]] cmder$ curl -LO "https://dl.k8s.io/release/v1.29.0/bin/windows/amd64/kubectl.exe" cmder$ mv kubectl.exe /usr/bin ==== Подключение к кластеру ==== mkdir ~/.kube/ scp root@192.168.X.2N1:.kube/config ~/.kube/ cat ~/.kube/config ... server: https://192.168.X.2N1:6443 ... kubectl get all -o wide --all-namespaces kubectl get all -o wide -A === Настройка автодополнения === gitlab-runner@server:~$ source <(kubectl completion bash) === Подключение к другому кластеру === gitlab-runner@server:~$ scp root@kube1:.kube/config .kube/config_kube1 gitlab-runner@server:~$ cat .kube/config_kube1 ... .kube/config_kube1 ... gitlab-runner@server:~$ export KUBECONFIG=~/.kube/config_kube1 gitlab-runner@server:~$ kubectl get nodes ===== Установка minikube ===== * [[https://www.linuxtechi.com/how-to-install-minikube-on-ubuntu/|How to Install Minikube on Ubuntu 20.04 LTS / 21.04]] * [[https://minikube.sigs.k8s.io/docs/start/|Documentation/Get Started/minikube start]] root@server:~# apt install -y curl wget apt-transport-https root@server:~# wget https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 root@server:~# mv minikube-linux-amd64 /usr/local/bin/minikube root@server:~# chmod +x /usr/local/bin/minikube * Технология Docker [[Технология Docker#Предоставление прав непривилегированным пользователям]] gitlab-runner@server:~$ ### minikube delete gitlab-runner@server:~$ ### rm -rv .minikube/ gitlab-runner@server:~$ time minikube start --driver=docker --insecure-registry "server.corpX.un:5000" real 29m8.320s ... gitlab-runner@server:~$ minikube status gitlab-runner@server:~$ minikube ip gitlab-runner@server:~$ minikube addons list gitlab-runner@server:~$ minikube addons configure registry-creds #Не нужно для registry попубличных проектов ... Do you want to enable Docker Registry? [y/n]: y -- Enter docker registry server url: http://server.corpX.un:5000 -- Enter docker registry username: student -- Enter docker registry password: ... gitlab-runner@server:~$ minikube addons enable registry-creds gitlab-runner@server:~$ minikube kubectl -- get pods -A gitlab-runner@server:~$ alias kubectl='minikube kubectl --' gitlab-runner@server:~$ kubectl get pods -A или * [[#Инструмент командной строки kubectl]] gitlab-runner@server:~$ ###minikube stop gitlab-runner@server:~$ ###minikube start ===== Кластер Kubernetes ===== ==== Развертывание через kubeadm ==== * [[https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/|kubernetes.io Creating a cluster with kubeadm]] * [[https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/]] * [[https://www.baeldung.com/ops/kubernetes-cluster-components|Kubernetes Cluster Components]] === Подготовка узлов === node1# ssh-keygen node1# ssh-copy-id node2 node1# ssh-copy-id node3 node1# bash -c ' swapoff -a ssh node2 swapoff -a ssh node3 swapoff -a ' node1# bash -c ' sed -i"" -e "/swap/s/^/#/" /etc/fstab ssh node2 sed -i"" -e "/swap/s/^/#/" /etc/fstab ssh node3 sed -i"" -e "/swap/s/^/#/" /etc/fstab ' === Установка ПО === === !!! Обратитесь к преподавателю !!! === * [[https://www.linuxtechi.com/install-kubernetes-on-ubuntu-22-04/|How to Install Kubernetes Cluster on Ubuntu 22.04]] * [[https://www.linuxtechi.com/install-kubernetes-cluster-on-debian/|https://www.linuxtechi.com/install-kubernetes-cluster-on-debian/]] == Установка и настройка CRI == node1_2_3# apt-get install -y docker.io Проверяем, если: node1# containerd config dump | grep SystemdCgroup SystemdCgroup = false (может понадобиться rm /etc/containerd/config.toml ) то, выполняем следующие 4-ре команды: bash -c 'mkdir -p /etc/containerd/ ssh node2 mkdir -p /etc/containerd/ ssh node3 mkdir -p /etc/containerd/ ' bash -c 'containerd config default > /etc/containerd/config.toml ssh node2 "containerd config default > /etc/containerd/config.toml" ssh node3 "containerd config default > /etc/containerd/config.toml" ' bash -c 'sed -i "s/SystemdCgroup \= false/SystemdCgroup \= true/g" /etc/containerd/config.toml ssh node2 sed -i \"s/SystemdCgroup \= false/SystemdCgroup \= true/g\" /etc/containerd/config.toml ssh node3 sed -i \"s/SystemdCgroup \= false/SystemdCgroup \= true/g\" /etc/containerd/config.toml ' bash -c 'service containerd restart ssh node2 service containerd restart ssh node3 service containerd restart ' == Подключаем репозиторий и устанавливаем ПО == bash -c 'mkdir -p /etc/apt/keyrings ssh node2 mkdir -p /etc/apt/keyrings ssh node3 mkdir -p /etc/apt/keyrings ' bash -c 'curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.30/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg ssh node2 "curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.30/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg" ssh node3 "curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.30/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg" ' bash -c 'echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.30/deb/ /" | tee /etc/apt/sources.list.d/kubernetes.list ssh node2 echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.30/deb/ /" \| tee /etc/apt/sources.list.d/kubernetes.list ssh node3 echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.30/deb/ /" \| tee /etc/apt/sources.list.d/kubernetes.list ' bash -c 'apt-get update && apt-get install -y kubelet kubeadm kubectl ssh node2 "apt-get update && apt-get install -y kubelet kubeadm kubectl" ssh node3 "apt-get update && apt-get install -y kubelet kubeadm kubectl" ' === Инициализация master === root@node1:~# kubeadm init --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=192.168.X.201 root@node1:~# mkdir -p $HOME/.kube root@node1:~# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config root@node1:~# kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml (использует модуль br_netfilter) root@node1:~# kubectl get pod -o wide --all-namespaces root@node1:~# kubectl get --raw='/readyz?verbose' === Подключение worker === root@node2_3:~# curl -k https://node1:6443/livez?verbose root@node2_3:~# kubeadm join 192.168.X.201:6443 --token NNNNNNNNNNNNNNNNNNNN \ --discovery-token-ca-cert-hash sha256:NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN root@node2_3:~# curl -sSL http://127.0.0.1:10248/healthz root@node1:~# kubeadm token list root@node1:~# kubeadm token create --print-join-command === Проверка состояния === root@node1:~# kubectl cluster-info root@node1:~# kubectl get nodes -o wide root@node1:~# kubectl describe node node2 === Удаление узла === * [[https://stackoverflow.com/questions/56064537/how-to-remove-broken-nodes-in-kubernetes|How to remove broken nodes in Kubernetes]] $ kubectl cordon kube3 $ time kubectl drain kube3 #--ignore-daemonsets --delete-emptydir-data --force $ kubectl delete node kube3 === Удаление кластера === * [[https://stackoverflow.com/questions/44698283/how-to-completely-uninstall-kubernetes|How to completely uninstall kubernetes]] node1# bash -c ' kubeadm reset ssh node2 kubeadm reset ssh node3 kubeadm reset ' === Настройка доступа к Insecure Private Registry === === !!! Обратитесь к преподавателю !!! === * [[https://github.com/containerd/containerd/issues/4938|Unable to pull image from insecure registry, http: server gave HTTP response to HTTPS client #4938]] * [[https://github.com/containerd/containerd/issues/3847|Containerd cannot pull image from insecure registry #3847]] * [[https://mrzik.medium.com/how-to-configure-private-registry-for-kubernetes-cluster-running-with-containerd-cf74697fa382|How to Configure Private Registry for Kubernetes cluster running with containerd]] * [[https://github.com/containerd/containerd/blob/main/docs/PLUGINS.md#version-header|containerd/docs/PLUGINS.md migrate config v1 to v2]] == сontainerd == root@node1:~# mkdir -p /etc/containerd/ root@node1:~# cat /etc/containerd/config.toml ... [plugins."io.containerd.grpc.v1.cri".registry.mirrors] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."server.corpX.un:5000"] endpoint = ["http://server.corpX.un:5000"] ... node1# bash -c ' ssh node2 mkdir -p /etc/containerd/ ssh node3 mkdir -p /etc/containerd/ scp /etc/containerd/config.toml node2:/etc/containerd/config.toml scp /etc/containerd/config.toml node3:/etc/containerd/config.toml systemctl restart containerd ssh node2 systemctl restart containerd ssh node3 systemctl restart containerd ' root@nodeN:~# containerd config dump | less Проверка root@nodeN:~# crictl -r unix:///run/containerd/containerd.sock pull server.corpX.un:5000/student/gowebd ==== Развертывание через Kubespray ==== === !!! Обратитесь к преподавателю !!! === * [[https://github.com/kubernetes-sigs/kubespray]] * [[https://habr.com/ru/companies/domclick/articles/682364/|Самое подробное руководство по установке высокодоступного (почти ಠ ͜ʖ ಠ ) Kubernetes-кластера]] * [[https://habr.com/ru/companies/X5Tech/articles/645651/|Bare-metal kubernetes-кластер на своём локальном компьютере]] * [[https://internet-lab.ru/k8s_kubespray|Kubernetes — установка через Kubespray]] * [[https://www.mshowto.org/en/ubuntu-sunucusuna-kubespray-ile-kubernetes-kurulumu.html|Installing Kubernetes on Ubuntu Server with Kubespray]] * [[https://kubernetes.io/docs/setup/production-environment/tools/kubespray/|Installing Kubernetes with Kubespray]] == Подготовка к развертыванию через Kubespray == kube1# ssh-keygen kube1# ssh-copy-id kube1;ssh-copy-id kube2;ssh-copy-id kube3;ssh-copy-id kube4; kube1# #apt update kube1# #apt install python3-pip -y kube1# git clone https://github.com/kubernetes-sigs/kubespray kube1# cd kubespray/ ~/kubespray# grep -r containerd_insecure_registries . ~/kubespray# git log ~/kubespray# git branch -r ~/kubespray# git checkout origin/release-2.22 ~/kubespray# git tag -l ~/kubespray# ### git checkout tags/v2.22.1 ~/kubespray# ### git checkout 4c37399c7582ea2bfb5202c3dde3223f9c43bf59 ~/kubespray# ### git checkout master * Может потребоваться [[Язык программирования Python#Виртуальная среда Python]] ~/kubespray# time pip3 install -r requirements.txt real 1m48.202s ~/kubespray# cp -rvfpT inventory/sample inventory/mycluster ~/kubespray# declare -a IPS=(kube1,192.168.X.221 kube2,192.168.X.222 kube3,192.168.X.223) ~/kubespray# CONFIG_FILE=inventory/mycluster/hosts.yaml python3 contrib/inventory_builder/inventory.py ${IPS[@]} ~/kubespray# less inventory/mycluster/hosts.yaml * [[Сервис Ansible#Использование модулей]] Ansible для отключения swap * Может потребоваться [[Сервис Ansible#Роль настроенного через ifupdown узла сети]] == Развертывание кластера через Kubespray == ~/kubespray# time ansible-playbook -i inventory/mycluster/hosts.yaml cluster.yml real 45m31.796s kube1# less ~/.kube/config ~/kubespray# ###time ansible-playbook -i inventory/mycluster/hosts.yaml reset.yml real 7m31.796s === Добавление узла через Kubespray === * [[https://github.com/kubernetes-sigs/kubespray/blob/master/docs/operations/nodes.md|Adding/replacing a node (github.com/kubernetes-sigs/kubespray)]] * [[https://nixhub.ru/posts/k8s-nodes-scale/|K8s - добавление нод через kubespray]] * [[https://blog.unetresgrossebite.com/?p=934|Redeploy Kubernetes Nodes with KubeSpray]] ~/kubespray# cat inventory/mycluster/hosts.yaml ... node4: ansible_host: 192.168.X.204 ip: 192.168.X.204 access_ip: 192.168.X.204 ... kube_node: ... node4: ... ~/kubespray# time ansible-playbook -i inventory/mycluster/hosts.yaml --limit=kube4 scale.yml real 17m37.459s $ kubectl get nodes -o wide === Добавление insecure_registries через Kubespray === ~/kubespray# cat inventory/mycluster/group_vars/all/containerd.yml ... containerd_insecure_registries: "server.corpX.un:5000": "http://server.corpX.un:5000" containerd_registry_auth: - registry: server.corpX.un:5000 username: student password: Pa$$w0rd ... ~/kubespray# time ansible-playbook -i inventory/mycluster/hosts.yaml cluster.yml user 46m37.151s # less /etc/containerd/config.toml === Управление дополнениями через Kubespray === ~/kubespray# cat inventory/mycluster/group_vars/k8s_cluster/addons.yml ... helm_enabled: true ... ingress_nginx_enabled: true ingress_nginx_host_network: true ... ===== Базовые объекты k8s ===== ==== Deployment, Replica Sets, Pods ==== * [[https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/|Define a Command and Arguments for a Container]] * [[https://kubernetes.io/ru/docs/reference/kubectl/docker-cli-to-kubectl/|kubectl для пользователей Docker]] * [[https://kubernetes.io/docs/tasks/run-application/run-stateless-application-deployment/|Run a Stateless Application Using a Deployment]] $ kubectl api-resources $ kubectl run my-debian --image=debian -- "sleep" "3600" $ ###kubectl run -ti --rm my-debian --image=debian --overrides='{"spec": { "nodeSelector": {"kubernetes.io/hostname": "kube4"}}}' $ kubectl get pods kubeN# crictl ps | grep debi kubeN# crictl images nodeN# ctr ns ls nodeN# ctr -n=k8s.io image ls | grep debi $ kubectl delete pod my-debian $ ###kubectl delete pod my-debian --grace-period=0 --force $ kubectl create deployment my-debian --image=debian -- "sleep" "infinity" $ kubectl get all $ kubectl get deployments $ kubectl get replicasets * [[#Настройка автодополнения]] $ kubectl attach my-debian-NNNNNNNNN-NNNNN $ kubectl exec -ti my-debian-NNNNNNNNN-NNNNN -- bash Ctrl-D $ kubectl get deployment my-debian -o yaml * [[Переменные окружения]] EDITOR $ kubectl edit deployment my-debian $ kubectl get pods -o wide $ kubectl delete deployment my-debian * [[https://kubernetes.io/docs/reference/glossary/?all=true#term-manifest|Kubernetes Documentation Reference Glossary/Manifest]] $ cat my-debian-deployment.yaml apiVersion: apps/v1 kind: ReplicaSet #kind: Deployment metadata: name: my-debian spec: selector: matchLabels: app: my-debian replicas: 2 template: metadata: labels: app: my-debian spec: containers: - name: my-debian image: debian command: ["/bin/sh"] args: ["-c", "while true; do echo hello; sleep 3;done"] restartPolicy: Always $ kubectl apply -f my-debian-deployment.yaml #--dry-run=client #-o yaml ... $ kubectl delete -f my-debian-deployment.yaml ==== namespace для своего приложения ==== * [[https://matthewpalmer.net/kubernetes-app-developer/articles/kubernetes-volumes-example-nfs-persistent-volume.html|How to use an NFS volume]] * [[https://www.kryukov.biz/kubernetes/lokalnye-volumes/emptydir/|emptyDir]] * [[https://hub.docker.com/_/httpd|The Apache HTTP Server Project - httpd Docker Official Image]] * [[https://habr.com/ru/companies/oleg-bunin/articles/761662/|Дополнительные контейнеры в Kubernetes и где они обитают: от паттернов к автоматизации управления]] * [[https://stackoverflow.com/questions/39436845/multiple-command-in-poststart-hook-of-a-container|multiple command in postStart hook of a container]] * [[https://stackoverflow.com/questions/33887194/how-to-set-multiple-commands-in-one-yaml-file-with-kubernetes|How to set multiple commands in one yaml file with Kubernetes?]] $ kubectl create namespace my-ns $ kubectl get namespaces $ ### kubectl create deployment my-webd --image=server.corpX.un:5000/student/webd:latest --replicas=2 -n my-ns $ ### kubectl delete deployment my-webd -n my-ns $ cd webd/ $ cat my-webd-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: my-webd spec: selector: matchLabels: app: my-webd replicas: 2 template: metadata: labels: app: my-webd spec: containers: - name: my-webd # image: server.corpX.un:5000/student/webd # image: server.corpX.un:5000/student/webd:ver1.N # imagePullPolicy: "Always" # image: httpd # lifecycle: # postStart: # exec: # command: # - /bin/sh # - -c # - | # cd /usr/local/apache2/htdocs/ # echo "

Hello from apache2 on $(hostname)

" > index.html # echo "" >> index.html # env: # - name: APWEBD_HOSTNAME # value: "apwebd.corpX.un" # - name: KEYCLOAK_HOSTNAME # value: "keycloak.corpX.un" # - name: REALM_NAME # value: "corpX" # livenessProbe: # httpGet: # port: 80 # volumeMounts: # - mountPath: /usr/local/apache2/htdocs # name: htdocs-volume # volumeMounts: # - name: nfs-volume # mountPath: /var/www # volumes: # - emptyDir: {} # name: htdocs-volume # volumes: # - name: nfs-volume # nfs: # server: server.corpX.un # path: /var/www # initContainers: # - name: load-htdocs-files # image: curlimages/curl ## command: ['sh', '-c', 'mkdir /mnt/img; curl http://val.bmstu.ru/unix/Media/logo.gif > /mnt/img/logo.gif'] # command: ["/bin/sh", "-c"] # args: # - | # mkdir /mnt/img; cd /mnt/img # curl http://val.bmstu.ru/unix/Media/logo.gif > logo.gif # ls -lR /mnt/ # volumeMounts: # - mountPath: /mnt # name: htdocs-volume
$ kubectl apply -f my-webd-deployment.yaml -n my-ns #--dry-run=client #-o yaml $ kubectl get all -n my-ns -o wide $ kubectl describe -n my-ns pod/my-webd-NNNNNNNNNN-NNNNN $ kubectl -n my-ns logs pod/my-webd-NNNNNNNNNN-NNNNN #-c load-htdocs-files $ kubectl scale deployment my-webd --replicas=3 -n my-ns $ kubectl delete pod/my-webd-NNNNNNNNNN-NNNNN -n my-ns === Версии deployment === * [[https://learnk8s.io/kubernetes-rollbacks|How do you rollback deployments in Kubernetes?]] gitlab-runner@server:~$ kubectl -n my-ns rollout history deployment/my-webd deployment.apps/my-webd REVISION CHANGE-CAUSE 1 ... N gitlab-runner@server:~$ kubectl -n my-ns rollout history deployment/my-webd --revision=1 ... Image: server.corpX.un:5000/student/webd:ver1.1 ... kubectl -n my-ns rollout undo deployment/my-webd --to-revision=1 gitlab-runner@server:~$ kubectl -n my-ns rollout undo deployment/my-webd --to-revision=1 gitlab-runner@server:~$ kubectl -n my-ns rollout history deployment/my-webd deployment.apps/my-webd REVISION CHANGE-CAUSE 2 ... N+1 ==== Service ==== * [[https://kubernetes.io/docs/concepts/services-networking/service/|Kubernetes Documentation Concepts Services, Load Balancing, and Networking Service]] * [[https://alesnosek.com/blog/2017/02/14/accessing-kubernetes-pods-from-outside-of-the-cluster/|Accessing Kubernetes Pods From Outside of the Cluster]] * [[https://stackoverflow.com/questions/33069736/how-do-i-get-logs-from-all-pods-of-a-kubernetes-replication-controller|How do I get logs from all pods of a Kubernetes replication controller?]] $ ### kubectl expose deployment my-webd --type=NodePort --port=80 -n my-ns $ ### kubectl delete svc my-webd -n my-ns $ cat my-webd-service.yaml apiVersion: v1 kind: Service metadata: name: my-webd spec: # type: NodePort # type: LoadBalancer # loadBalancerIP: 192.168.X.64 selector: app: my-webd ports: - protocol: TCP port: 80 # nodePort: 30111 $ kubectl apply -f my-webd-service.yaml -n my-ns $ kubectl logs -l app=my-webd -n my-ns (доступны опции -f, --tail=2000, --previous) === NodePort === * [[https://www.baeldung.com/ops/kubernetes-nodeport-range|Why Kubernetes NodePort Services Range From 30000 – 32767]] $ kubectl get svc my-webd -n my-ns NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE my-webd-svc NodePort 10.102.135.146 80:NNNNN/TCP 18h $ kubectl describe svc my-webd -n my-ns $ curl http://node1,2,3:NNNNN на "самодельном kubeadm" кластере работает не стабильно == NodePort Minikube == $ minikube service list $ minikube service my-webd --url -n my-ns http://192.168.49.2:NNNNN $ curl http://192.168.49.2:NNNNN === LoadBalancer === == MetalLB == * [[https://www.adaltas.com/en/2022/09/08/kubernetes-metallb-nginx/|Ingresses and Load Balancers in Kubernetes with MetalLB and nginx-ingress]] * [[https://metallb.universe.tf/installation/|Installation]] * [[https://metallb.universe.tf/configuration/_advanced_ipaddresspool_configuration/|Advanced AddressPool configuration]] * [[https://metallb.universe.tf/configuration/_advanced_l2_configuration/|Advanced L2 configuration]] $ kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.14.3/config/manifests/metallb-native.yaml $ kubectl -n metallb-system get all $ cat first-pool.yaml --- apiVersion: metallb.io/v1beta1 kind: IPAddressPool metadata: name: first-pool namespace: metallb-system spec: addresses: - 192.168.X.64/28 autoAssign: false --- apiVersion: metallb.io/v1beta1 kind: L2Advertisement metadata: name: first-pool-advertisement namespace: metallb-system spec: ipAddressPools: - first-pool interfaces: - eth0 $ kubectl apply -f first-pool.yaml $ ### kubectl delete -f first-pool.yaml && rm first-pool.yaml $ ### kubectl delete -f https://raw.githubusercontent.com/metallb/metallb/v0.14.3/config/manifests/metallb-native.yaml === ClusterIP === kube1# host my-webd.my-ns.svc.cluster.local 169.254.25.10 ...10.102.135.146... server# ssh -p 32222 nodeN my-openssh-server-NNNNNNNN-NNNNN:~# curl my-webd.my-ns.svc.cluster.local ИЛИ my-openssh-server-NNNNNNNN-NNNNN:~# curl my-webd-webd-chart.my-ns.svc.cluster.local == port-forward == * [[#Инструмент командной строки kubectl]] node1/kube1# kubectl port-forward -n my-ns --address 0.0.0.0 services/my-webd 1234:80 cmder> kubectl port-forward -n my-ns services/my-webd 1234:80 * http://192.168.X.2N1:1234 * http://localhost:1234 node1/kube1# kubectl -n my-ns delete pod/my-webd... == kubectl proxy == * [[#Инструмент командной строки kubectl]] kube1:~# kubectl proxy --address='0.0.0.0' --accept-hosts='^*$' cmder> kubectl proxy * http://192.168.X.2N1:8001/api/v1/namespaces/my-ns/services/my-webd:80/proxy/ * http://localhost:8001/api/v1/namespaces/my-ns/services/my-webd:80/proxy/ ==== Удаление объектов ==== $ kubectl get all -n my-ns $ kubectl delete -n my-ns -f my-webd-deployment.yaml,my-webd-service.yaml или $ kubectl delete namespace my-ns ==== Ingress ==== * [[https://kubernetes.github.io/ingress-nginx/deploy/#quick-start|NGINX ingress controller quick-start]] === Minikube ingress-nginx-controller === * [[https://kubernetes.io/docs/tasks/access-application-cluster/ingress-minikube/|Set up Ingress on Minikube with the NGINX Ingress Controller]] * [[https://www.golinuxcloud.com/kubectl-port-forward/|kubectl port-forward examples in Kubernetes]] server# cat /etc/bind/corpX.un ... webd A 192.168.49.2 gitlab-runner@server:~$ minikube addons enable ingress === Baremetal ingress-nginx-controller === * [[https://github.com/kubernetes/ingress-nginx/tags]] Версии * [[https://stackoverflow.com/questions/61616203/nginx-ingress-controller-failed-calling-webhook|Nginx Ingress Controller - Failed Calling Webhook]] * [[https://stackoverflow.com/questions/51511547/empty-address-kubernetes-ingress|Empty ADDRESS kubernetes ingress]] * [[https://kubernetes.github.io/ingress-nginx/deploy/#bare-metal-clusters|ingress-nginx/deploy/bare-metal-clusters]] server# cat /etc/bind/corpX.un ... webd A 192.168.X.202 A 192.168.X.203 gowebd CNAME webd node1# curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.1/deploy/static/provider/baremetal/deploy.yaml | tee ingress-nginx.controller-v1.3.1.baremetal.yaml node1# cat ingress-nginx.controller-v1.3.1.baremetal.yaml ... kind: Deployment ... spec: ... replicas: 3 ### insert this (equial count of worker nodes) template: ... terminationGracePeriodSeconds: 300 hostNetwork: true ###insert this volumes: ... node1# kubectl apply -f ingress-nginx.controller-v1.3.1.baremetal.yaml node1# kubectl get all -n ingress-nginx node1# ###kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission node1# ###kubectl delete -f ingress-nginx.controller-v1.3.1.baremetal.yaml === Управление конфигурацией ingress-nginx-controller === master-1:~$ kubectl exec -n ingress-nginx pods/ingress-nginx-controller- -- cat /etc/nginx/nginx.conf | tee nginx.conf master-1:~$ kubectl edit -n ingress-nginx configmaps ingress-nginx-controller ... data: use-forwarded-headers: "true" ... === Итоговый вариант с DaemonSet === node1# diff ingress-nginx.controller-v1.8.2.baremetal.yaml.orig ingress-nginx.controller-v1.8.2.baremetal.yaml 323a324 > use-forwarded-headers: "true" 391c392,393 < kind: Deployment --- > #kind: Deployment > kind: DaemonSet 409,412c411,414 < strategy: < rollingUpdate: < maxUnavailable: 1 < type: RollingUpdate --- > # strategy: > # rollingUpdate: > # maxUnavailable: 1 > # type: RollingUpdate 501a504 > hostNetwork: true node1# kubectl -n ingress-nginx describe service/ingress-nginx-controller ... Endpoints: 192.168.X.221:80,192.168.X.222:80,192.168.X.223:80 ... === ingress example === node1# ### kubectl create ingress my-ingress --class=nginx --rule="webd.corpX.un/*=my-webd:80" -n my-ns node1# cat my-ingress.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: my-ingress spec: ingressClassName: nginx # tls: # - hosts: # - gowebd.corpX.un # secretName: gowebd-tls rules: - host: webd.corpX.un http: paths: - backend: service: name: my-webd port: number: 80 path: / pathType: Prefix - host: gowebd.corpX.un http: paths: - backend: service: name: my-gowebd port: number: 80 path: / pathType: Prefix node1# kubectl apply -f my-ingress.yaml -n my-ns node1# kubectl get ingress -n my-ns NAME CLASS HOSTS ADDRESS PORTS AGE my-webd nginx webd.corpX.un,gowebd.corpX.un 192.168.X.202,192.168.X.203 80 14m * [[Утилита curl]] $ curl webd.corpX.un $ curl gowebd.corpX.un $ curl https://gowebd.corpX.un #-kv $ curl http://nodeN/ -H "Host: webd.corpX.un" $ curl --connect-to "":"":kubeN:443 https://gowebd.corpX.un #-vk $ kubectl logs -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx -f node1# ### kubectl delete ingress my-ingress -n my-ns === secrets tls === * [[https://devopscube.com/configure-ingress-tls-kubernetes/|How To Configure Ingress TLS/SSL Certificates in Kubernetes]] $ kubectl create secret tls gowebd-tls --key gowebd.key --cert gowebd.crt -n my-ns $ kubectl get secrets -n my-ns $ kubectl get secret/gowebd-tls -o yaml -n my-ns $ ###kubectl delete secret/gowebd-tls -n my-ns ==== Volumes ==== === PersistentVolume и PersistentVolumeVolumeClaim === root@node1:~# ssh node2 mkdir /disk2 root@node1:~# ssh node2 touch /disk2/disk2_node2 root@node1:~# kubectl label nodes node2 disk2=yes root@node1:~# kubectl get nodes --show-labels root@node1:~# ###kubectl label nodes node2 disk2- root@node1:~# cat my-debian-deployment.yaml ... args: ["-c", "while true; do echo hello; sleep 3;done"] volumeMounts: - name: my-disk2-volume mountPath: /data # volumeMounts: # - name: data # mountPath: /data volumes: - name: my-disk2-volume hostPath: path: /disk2/ nodeSelector: disk2: "yes" # volumes: # - name: data # persistentVolumeClaim: # claimName: my-ha-pvc-sz64m restartPolicy: Always root@node1:~# kubectl apply -f my-debian-deployment.yaml root@node1:~# kubectl get all -o wide * [[https://qna.habr.com/q/629022|Несколько Claim на один Persistent Volumes?]] * [[https://serveradmin.ru/hranilishha-dannyh-persistent-volumes-v-kubernetes/|Хранилища данных (Persistent Volumes) в Kubernetes]] * [[https://stackoverflow.com/questions/59915899/limit-persistent-volume-claim-content-folder-size-using-hostpath|Limit persistent volume claim content folder size using hostPath]] * [[https://stackoverflow.com/questions/63490278/kubernetes-persistent-volume-hostpath-vs-local-and-data-persistence|Kubernetes persistent volume: hostpath vs local and data persistence]] * [[https://www.alibabacloud.com/blog/kubernetes-volume-basics-emptydir-and-persistentvolume_594834|Kubernetes Volume Basics: emptyDir and PersistentVolume]] root@node1:~# cat my-ha-pv.yaml apiVersion: v1 kind: PersistentVolume metadata: name: my-pv-node2-sz-128m-num-001 # name: my-pv-kube3-keycloak labels: type: local spec: ## comment storageClassName for keycloak storageClassName: my-ha-sc capacity: storage: 128Mi # storage: 8Gi accessModes: - ReadWriteMany # - ReadWriteOnce hostPath: path: /disk2 persistentVolumeReclaimPolicy: Retain nodeAffinity: required: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/hostname operator: In values: - node2 # - kube3 root@node1:~# kubectl apply -f my-ha-pv.yaml root@node1:~# kubectl get persistentvolume или root@node1:~# kubectl get pv root@kube1:~# ###ssh kube3 'mkdir /disk2/; chmod 777 /disk2/' ... root@node1:~# ###kubectl delete pv my-pv- root@node1:~# cat my-ha-pvc.yaml apiVersion: v1 kind: PersistentVolumeClaim metadata: name: my-ha-pvc-sz64m spec: storageClassName: my-ha-sc # storageClassName: local-path accessModes: - ReadWriteMany resources: requests: storage: 64Mi root@node1:~# kubectl apply -f my-ha-pvc.yaml root@node1:~# kubectl get persistentvolumeclaims или root@node1:~# kubectl get pvc ... root@node1:~# ### kubectl delete pvc my-ha-pvc-sz64m === Dynamic Volume Provisioning === * [[https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/|Dynamic Volume Provisioning]] * [[https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/|Changing the default StorageClass]] === rancher local-path-provisioner === * [[https://github.com/rancher/local-path-provisioner|rancher local-path-provisioner]] * [[https://artifacthub.io/packages/helm/ebrianne/local-path-provisioner|This chart bootstraps a deployment on a cluster using the package manager]] $ kubectl apply -f https://raw.githubusercontent.com/rancher/local-path-provisioner/v0.0.26/deploy/local-path-storage.yaml $ kubectl get sc $ kubectl -n local-path-storage get all $ curl https://raw.githubusercontent.com/rancher/local-path-provisioner/v0.0.26/deploy/local-path-storage.yaml | less /DEFAULT_PATH_FOR_NON_LISTED_NODES ssh root@kube1 'mkdir /opt/local-path-provisioner' ssh root@kube2 'mkdir /opt/local-path-provisioner' ssh root@kube3 'mkdir /opt/local-path-provisioner' ssh root@kube1 'chmod 777 /opt/local-path-provisioner' ssh root@kube2 'chmod 777 /opt/local-path-provisioner' ssh root@kube3 'chmod 777 /opt/local-path-provisioner' $ ###kubectl patch storageclass local-path -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}' * Сервис Keycloak в [[Сервис Keycloak#Kubernetes]] $ kubectl get pvc -n my-keycloak-ns $ kubectl get pv $ ###kubectl -n my-keycloak-ns delete pvc data-my-keycloak-postgresql-0 === longhorn === kubeN:~# apt install open-iscsi * [[https://github.com/longhorn/longhorn]] $ kubectl apply -f https://raw.githubusercontent.com/longhorn/longhorn/v1.6.0/deploy/longhorn.yaml $ kubectl -n longhorn-system get pods -o wide --watch Setting->General Pod Deletion Policy When Node is Down: delete-statefuset-pod Подключение через kubectl proxy * [[https://stackoverflow.com/questions/45172008/how-do-i-access-this-kubernetes-service-via-kubectl-proxy|How do I access this Kubernetes service via kubectl proxy?]] cmder> kubectl proxy * http://localhost:8001/api/v1/namespaces/longhorn-system/services/longhorn-frontend:80/proxy/ Подключение через ingress !!! Добавить пример с аутентификацией !!! student@server:~/longhorn$ cat ingress.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: longhorn-ingress namespace: longhorn-system spec: ingressClassName: nginx rules: - host: lh.corp13.un http: paths: - backend: service: name: longhorn-frontend port: number: 80 path: / pathType: Prefix == Использование snapshot-ов == * [[https://github.com/longhorn/longhorn/issues/63?ref=https%3A%2F%2Fgiter.vip|What should be the best procedure to recover a snapshot or a backup in rancher2/longhorn ?]] * Делаем снапшот * Что-то ломаем (удаляем пользователя) * Останавливаем сервис kube1:~# kubectl -n my-keycloak-ns scale --replicas 0 statefulset my-keycloak kube1:~# kubectl -n my-keycloak-ns scale --replicas 0 statefulset my-keycloak-postgresql * Volume -> Attache to Host (любой) в режиме Maintenance, Revert к снапшоту, Deattache * Запускаем сервис kube1:~# kubectl -n my-keycloak-ns scale --replicas 1 statefulset my-keycloak-postgresql kube1:~# kubectl -n my-keycloak-ns scale --replicas 2 statefulset my-keycloak == Использование backup-ов == * Разворачиваем [[Сервис NFS]] на server Setting -> General -> Backup Target -> nfs://server.corp13.un:/var/www (nfs client linux не нужен) * Volume -> Create Backup, удаляем NS, восстанавливаем Volume из бекапа, создаем NS и создаем для Volume PV/PVC как было, устанавливаем чарт, он подхватывает pv/pvc ==== ConfigMap ==== * [[https://www.aquasec.com/cloud-native-academy/kubernetes-101/kubernetes-configmap/|Kubernetes ConfigMap: Creating, Viewing, Consuming & Managing]] * [[https://blog.lapw.at/how-to-enable-ssh-into-a-kubernetes-pod/|How to enable SSH connections into a Kubernetes pod]] root@node1:~# cat sshd_config PermitRootLogin yes PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no root@node1:~# kubectl create configmap ssh-config --from-file=sshd_config --dry-run=client -o yaml ... server:~# cat .ssh/id_rsa.pub ... root@node1:~# cat my-openssh-server-deployment.yaml apiVersion: v1 kind: ConfigMap metadata: name: ssh-config data: sshd_config: | PermitRootLogin yes PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no authorized_keys: | ssh-rsa AAAAB.....C0zOcZ68= root@server.corpX.un --- apiVersion: apps/v1 kind: Deployment metadata: name: my-openssh-server spec: selector: matchLabels: app: my-openssh-server template: metadata: labels: app: my-openssh-server spec: containers: - name: my-openssh-server image: linuxserver/openssh-server command: ["/bin/sh"] args: ["-c", "/usr/bin/ssh-keygen -A; usermod -p '*' root; /usr/sbin/sshd.pam -D"] ports: - containerPort: 22 volumeMounts: - name: ssh-volume subPath: sshd_config mountPath: /etc/ssh/sshd_config - name: ssh-volume subPath: authorized_keys mountPath: /root/.ssh/authorized_keys volumes: - name: ssh-volume configMap: name: ssh-config --- apiVersion: v1 kind: Service metadata: name: my-openssh-server spec: type: NodePort ports: - port: 22 nodePort: 32222 selector: app: my-openssh-server root@node1:~# kubectl apply -f my-openssh-server-deployment.yaml root@node1:~# iptables-save | grep 32222 root@node1:~# ###kubectl exec -ti my-openssh-server-NNNNNNNN-NNNNN -- bash server:~# ssh -p 32222 nodeN Welcome to OpenSSH Server my-openssh-server-NNNNNNNN-NNNNN:~# nslookup my-openssh-server.default.svc.cluster.local ==== Пример с multi container pod ==== * [[https://www.mirantis.com/blog/multi-container-pods-and-container-communication-in-kubernetes/|Kubernetes multi-container pods and container communication]] * [[https://stackoverflow.com/questions/39979880/kubectl-exec-into-container-of-a-multi-container-pod|kubectl exec into container of a multi container pod]] * [[https://betterprogramming.pub/how-to-ssh-into-a-kubernetes-pod-from-outside-the-cluster-354b4056c42b|How to SSH Into a Kubernetes Pod From Outside the Cluster]] * [[https://serverfault.com/questions/1013402/is-it-possible-to-expose-2-ports-in-kubernetes-pod|Is it possible to expose 2 ports in Kubernetes pod?]] gitlab-runner@gate:~/webd$ cat my-webd-ssh-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: my-webd-ssh namespace: my-ns spec: selector: matchLabels: app: my-webd-ssh replicas: 1 template: metadata: labels: app: my-webd-ssh spec: containers: - name: my-webd image: server.corpX.un:5000/student/webd:latest volumeMounts: - name: html mountPath: /var/www - name: my-ssh image: atmoz/sftp args: ["user3:password3:10003"] volumeMounts: - name: html mountPath: /home/user3/www volumes: - name: html emptyDir: {} ... $ kubectl describe pod my-webd-NNNNNNNNNN-NNNNN -n my-ns $ kubectl exec -ti -n my-ns my-webd-NNNNNNNNNN-NNNNN -c my-ssh -- bash $ ### kubectl expose deployment my-webd-ssh --type=NodePort --port=80,22 -n my-ns $ cat my-webd-ssh-service.yaml apiVersion: v1 kind: Service metadata: name: my-webd-ssh namespace: my-ns spec: type: NodePort selector: app: my-webd-ssh ports: - name: http protocol: TCP port: 80 targetPort: 80 - name: ssh protocol: TCP port: 22 targetPort: 22 ===== Helm ===== ==== Установка Helm ==== * [[https://helm.sh/docs/intro/install/|Installing Helm]] * [[https://github.com/helm/helm/releases|helm releases]] # wget https://get.helm.sh/helm-v3.9.0-linux-amd64.tar.gz # tar -zxvf helm-v3.9.0-linux-amd64.tar.gz # mv linux-amd64/helm /usr/local/bin/helm # source <(helm completion bash) ==== Работа с готовыми Charts ==== * Сервис Keycloak [[Сервис Keycloak#Kubernetes]] === ingress-nginx === * [[https://kubernetes.github.io/ingress-nginx/deploy/|NGINX Ingress Controller Installation Guide]] * [[https://stackoverflow.com/questions/56915354/how-to-install-nginx-ingress-with-hostnetwork-on-bare-metal|stackoverflow How to install nginx-ingress with hostNetwork on bare-metal?]] * [[https://devpress.csdn.net/cloud/62fc8e7e7e66823466190055.html|devpress.csdn.net How to install nginx-ingress with hostNetwork on bare-metal?]] * [[https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml]] $ helm upgrade ingress-nginx --install ingress-nginx \ --set controller.hostNetwork=true,controller.publishService.enabled=false,controller.kind=DaemonSet,controller.config.use-forwarded-headers=true \ --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace $ helm list --namespace ingress-nginx $ helm list -A $ kubectl get all -n ingress-nginx -o wide $ helm delete ingress-nginx --namespace ingress-nginx $ mkdir ingress-nginx; cd ingress-nginx $ helm template ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx | tee t1.yaml $ helm show values ingress-nginx --repo https://kubernetes.github.io/ingress-nginx | tee values.yaml.orig $ cat values.yaml controller: hostNetwork: true publishService: enabled: false kind: DaemonSet # config: # use-forwarded-headers: true # allow-snippet-annotations: true $ helm template ingress-nginx -f values.yaml --repo https://kubernetes.github.io/ingress-nginx -n ingress-nginx | tee t2.yaml $ helm upgrade ingress-nginx -i ingress-nginx -f values.yaml --repo https://kubernetes.github.io/ingress-nginx -n ingress-nginx --create-namespace $ kubectl exec -n ingress-nginx pods/ingress-nginx-controller- -- cat /etc/nginx/nginx.conf | tee nginx.conf | grep use_forwarded_headers $ kubectl -n ingress-nginx describe service/ingress-nginx-controller ... Endpoints: 192.168.X.221:80,192.168.X.222:80,192.168.X.223:80 ... # kubectl get clusterrole -A | grep -i ingress # kubectl get clusterrolebindings -A | grep -i ingress # kubectl get validatingwebhookconfigurations -A | grep -i ingress ==== Развертывание своего приложения ==== * [[https://helm.sh/docs/chart_template_guide/getting_started/|chart_template_guide getting_started]] * [[https://opensource.com/article/20/5/helm-charts|How to make a Helm chart in 10 minutes]] * [[https://stackoverflow.com/questions/49812830/helm-upgrade-with-same-chart-version-but-different-docker-image-tag|Helm upgrade with same chart version, but different Docker image tag]] * [[https://stackoverflow.com/questions/69817305/how-set-field-app-version-in-helm3-chart|how set field app-version in helm3 chart?]] gitlab-runner@server:~/gowebd-k8s$ helm create webd-chart $ less webd-chart/templates/deployment.yaml $ cat webd-chart/Chart.yaml ... description: A Helm chart WebD for Kubernetes ... version: 0.1.1 icon: https://val.bmstu.ru/unix/Media/logo.gif ... appVersion: "latest" #appVersion: ver1.7 #for vanilla argocd $ cat webd-chart/values.yaml ... replicaCount: 2 image: repository: server.corpX.un:5000/student/webd pullPolicy: Always ... serviceAccount: create: false ... service: # type: NodePort ... ingress: enabled: true className: "nginx" ... hosts: - host: webd.corpX.un ... # tls: [] # tls: # - secretName: gowebd-tls # hosts: # - gowebd.corpX.un ... #APWEBD_HOSTNAME: "apwebd.corp13.un" #KEYCLOAK_HOSTNAME: "keycloak.corp13.un" #REALM_NAME: "corp13" $ less webd-chart/templates/deployment.yaml ... imagePullPolicy: {{ .Values.image.pullPolicy }} # env: # - name: APWEBD_HOSTNAME # value: "{{ .Values.APWEBD_HOSTNAME }}" # - name: KEYCLOAK_HOSTNAME # value: "{{ .Values.KEYCLOAK_HOSTNAME }}" # - name: REALM_NAME # value: "{{ .Values.REALM_NAME }}" ... $ helm lint webd-chart/ $ helm template my-webd webd-chart/ | less $ helm install my-webd webd-chart/ -n my-ns --create-namespace --wait $ kubectl describe events -n my-ns | less $ export HELM_NAMESPACE=my-ns $ helm list $ ### helm upgrade my-webd webd-chart/ --set=image.tag=ver1.10 $ helm history my-webd $ helm rollback my-webd 1 $ helm uninstall my-webd ==== Работа со своим репозиторием ==== * [[https://docs.gitlab.com/ee/user/packages/helm_repository/|Helm charts in the Package Registry Gitlab]] * [[https://github.com/chartmuseum/helm-push/#readme|helm cm-push plugin]] * [[https://medium.com/containerum/how-to-make-and-share-your-own-helm-package-50ae40f6c221|How to make and share your own Helm package]] * [[https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html|Gitlab Personal access tokens]] * [[Инструмент GitLab#Подключение через API]] - Role: Mainteiner, api (read_registry, write_registry не нужно) gitlab-runner@server:~/gowebd-k8s$ helm repo add --username student --password NNNNN-NNNNNNNNNNNNNNNNNNN webd http://server.corpX.un/api/v4/projects/N/packages/helm/stable "webd" has been added to your repositories gitlab-runner@server:~/gowebd-k8s$ ### helm repo remove webd gitlab-runner@server:~/gowebd-k8s$ helm repo list gitlab-runner@server:~/gowebd-k8s$ helm package webd-chart gitlab-runner@server:~/gowebd-k8s$ tar -tf webd-chart-0.1.1.tgz gitlab-runner@server:~/gowebd-k8s$ helm plugin install https://github.com/chartmuseum/helm-push gitlab-runner@server:~/gowebd-k8s$ helm cm-push webd-chart-0.1.1.tgz webd gitlab-runner@server:~/gowebd-k8s$ rm webd-chart-0.1.1.tgz kube1:~# helm repo add webd http://server.corpX.un/api/v4/projects/N/packages/helm/stable kube1:~# helm repo update kube1:~# helm search repo webd kube1:~# helm repo update webd kube1:~# helm install my-webd webd/webd-chart kube1:~# ###helm uninstall my-webd kube1:~# mkdir gowebd; cd gowebd kube1:~/gowebd# ###helm pull webd/webd-chart kube1:~/gowebd# ###helm pull webd-chart --repo https://server.corp13.un/api/v4/projects/1/packages/helm/stable kube1:~/gowebd# helm show values webd-chart --repo https://server.corp13.un/api/v4/projects/1/packages/helm/stable | tee values.yaml.orig kube1:~/gowebd# cat values.yaml replicaCount: 3 image: tag: "ver1.1" #REALM_NAME: "corp" kube1:~/gowebd# helm upgrade my-webd -i webd-chart -f values.yaml -n my-ns --create-namespace --repo https://server.corp13.un/api/v4/projects/1/packages/helm/stable $ curl http://kubeN -H "Host: gowebd.corpX.un" kube1:~/gowebd# ###helm uninstall my-webd -n my-ns ==== Работа с публичными репозиториями ==== === gitlab-runner kubernetes === gitlab-runner@server:~$ helm repo add gitlab https://charts.gitlab.io gitlab-runner@server:~$ helm repo list gitlab-runner@server:~$ helm search repo -l gitlab/gitlab-runner gitlab-runner@server:~$ helm show values gitlab/gitlab-runner --version 0.56.0 | tee values.yaml gitlab-runner@server:~$ diff values.yaml values.yaml.orig ... gitlabUrl: http://server.corpX.un/ ... runnerRegistrationToken: "NNNNNNNNNNNNNNNNNNNNNNNN" ... 148,149c142 < create: true --- > create: false 325d317 < privileged = true 432c424 < allowPrivilegeEscalation: true --- > allowPrivilegeEscalation: false 435c427 < privileged: true --- > privileged: false gitlab-runner@server:~$ helm upgrade -i gitlab-runner gitlab/gitlab-runner -f values.yaml -n gitlab-runner --create-namespace --version 0.56.0 gitlab-runner@server:~$ kubectl get all -n gitlab-runner == SSL/TLS == # kubectl -n gitlab-runner create configmap wild-crt --from-file=wild.crt # cat values.yaml ... gitlabUrl: https://server.corpX.un/ ... config: | [[runners]] tls-ca-file = "/mnt/wild.crt" [runners.kubernetes] ... #volumeMounts: [] volumeMounts: - name: wild-crt subPath: wild.crt mountPath: /mnt/wild.crt #volumes: [] volumes: - name: wild-crt configMap: name: wild-crt ===== Kubernetes Dashboard ===== * https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/ * https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md $ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml $ cat dashboard-user-role.yaml --- apiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kubernetes-dashboard --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kubernetes-dashboard --- apiVersion: v1 kind: Secret metadata: name: admin-user namespace: kubernetes-dashboard annotations: kubernetes.io/service-account.name: "admin-user" type: kubernetes.io/service-account-token $ kubectl apply -f dashboard-user-role.yaml $ kubectl -n kubernetes-dashboard create token admin-user $ kubectl get secret admin-user -n kubernetes-dashboard -o jsonpath={".data.token"} | base64 -d ; echo cmder$ kubectl proxy * http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/ ===== Отладка, troubleshooting ===== ==== Отладка etcd ==== * [[https://sysdig.com/blog/monitor-etcd/|How to monitor etcd]] kubeN:~# more /etc/kubernetes/manifests/kube-apiserver.yaml kubeN:~# etcdctl member list -w table \ --endpoints=https://kube1:2379 \ --cacert=/etc/ssl/etcd/ssl/ca.pem \ --cert=/etc/ssl/etcd/ssl/node-kube1.pem \ --key=/etc/ssl/etcd/ssl/node-kube1-key.pem kubeN:~# etcdctl endpoint status -w table \ --endpoints=https://kube1:2379,https://kube2:2379,https://kube3:2379 \ --cacert=/etc/ssl/etcd/ssl/ca.pem \ --cert=/etc/ssl/etcd/ssl/node-kube1.pem \ --key=/etc/ssl/etcd/ssl/node-kube1-key.pem ===== Дополнительные материалы ===== ==== Настройка registry-mirrors для Kubespray ==== ~/kubespray# cat inventory/mycluster/group_vars/all/docker.yml ... docker_registry_mirrors: - https://mirror.gcr.io ... ~/kubespray# cat inventory/mycluster/group_vars/all/containerd.yml ... containerd_registries_mirrors: - prefix: docker.io mirrors: - host: https://mirror.gcr.io capabilities: ["pull", "resolve"] skip_verify: false ... ==== Установка kubelet kubeadm kubectl в ubuntu20 ==== * На каждом узле нужно сделать mkdir /etc/apt/keyrings curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.28/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list apt update && apt install -y kubeadm=1.28.1-1.1 kubelet=1.28.1-1.1 kubectl=1.28.1-1.1 ==== Use .kube/config Client certs in curl ==== * [[https://serverfault.com/questions/1094361/use-kube-config-client-certs-in-curl|Use .kube/config Client certs in curl]] cat ~/.kube/config | yq -r '.clusters[0].cluster."certificate-authority-data"' | base64 -d - > ~/.kube/ca.pem cat ~/.kube/config | yq -r '.users[0].user."client-certificate-data"' | base64 -d - > ~/.kube/user.pem cat ~/.kube/config | yq -r '.users[0].user."client-key-data"' | base64 -d - > ~/.kube/user-key.pem SERVER_URL=$(cat ~/.kube/config | yq -r .clusters[0].cluster.server) curl --cacert ~/.kube/ca.pem --cert ~/.kube/user.pem --key ~/.kube/user-key.pem -X GET ${SERVER_URL}/api/v1/namespaces/default/pods/ ==== bare-metal minikube ==== student@node2:~$ sudo apt install conntrack https://computingforgeeks.com/install-mirantis-cri-dockerd-as-docker-engine-shim-for-kubernetes/ ... wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.24.2/crictl-v1.24.2-linux-amd64.tar.gz ... student@node2:~$ minikube start --driver=none --insecure-registry "server.corpX.un:5000" ==== minikube dashboard ==== student@node1:~$ minikube dashboard & ... Opening http://127.0.0.1:NNNNN/api/v1/namespaces/kubernetes-dashboard/services/http:kubernetes-dashboard:/proxy/ in your default browser ... /home/mobaxterm> ssh -L NNNNN:localhost:NNNNN student@192.168.X.10 Теперь, та же ссылка работает на win host системе ==== Подключение к minikube с другой системы ==== * Если не minikube, то достаточно только копию .kube/config * [[https://habr.com/ru/company/flant/blog/345580/|см. Настройка GitLab Runner]] student@node1:~$ tar -cvzf kube-config.tar.gz .kube/config .minikube/ca.crt .minikube/profiles/minikube gitlab-runner@server:~$ scp student@node1:kube-config.tar.gz . gitlab-runner@server:~$ tar -xvf kube-config.tar.gz gitlab-runner@server:~$ cat .kube/config ... certificate-authority: /home/gitlab-runner/.minikube/ca.crt ... client-certificate: /home/gitlab-runner/.minikube/profiles/minikube/client.crt client-key: /home/gitlab-runner/.minikube/profiles/minikube/client.key ... ==== kompose ==== * [[https://stackoverflow.com/questions/47536536/whats-the-difference-between-docker-compose-and-kubernetes|What's the difference between Docker Compose and Kubernetes?]] * [[https://loft.sh/blog/docker-compose-to-kubernetes-step-by-step-migration/|Docker Compose to Kubernetes: Step-by-Step Migration]] * [[https://kubernetes.io/docs/tasks/configure-pod-container/translate-compose-kubernetes/|Translate a Docker Compose File to Kubernetes Resources]] root@gate:~# curl -L https://github.com/kubernetes/kompose/releases/download/v1.26.0/kompose-linux-amd64 -o kompose root@gate:~# chmod +x kompose root@gate:~# sudo mv ./kompose /usr/local/bin/kompose * [[Технология Docker#docker-compose]] gitlab-runner@gate:~/webd$ kompose convert gitlab-runner@gate:~/webd$ ls *yaml gitlab-runner@gate:~/webd$ kubectl apply -f sftp-deployment.yaml,vol1-persistentvolumeclaim.yaml,webd-service.yaml,sftp-service.yaml,webd-deployment.yaml gitlab-runner@gate:~/webd$ kubectl get all